Stanford University School of Earth Science
 
Home
News
New Users
Policies
Email
   Service Ends 11/1/07
   Who Gets Email?
   Switching Email
   Already Forwarding?
   New Accounts
   Closed Accounts
   Group Accounts
   Special Aliases
   Transferring Email
   Address Updating
   Table of Forwarding
   Pine @stanford.edu
   Messages to All
Web Hosting
Get Help
Net Connections
Macintosh
Windows PC
Unix/Linux System
Pangea Server
School Resources
Using Unix

Email service on pangea ends on Nov 1, 2007. Information on this page is only valid until that date, for accounts that have not yet switched to another service.
Follow instructions to switch your email now!

Using Macintosh or Windows PC email programs with pangea

Copyright Phillip Farrell. Last revision July 14, 2006

Topics on this page:

 

Windows users: please read this note on protecting your computer from email viruses. So far, Macintosh and Unix/Linux systems have not been affected by email viruses. Users of those computers should also review that note, as email viruses are theoretically possible there as well.

If you always use the same networked Macintosh or Windows PC computer to read your email, and you don't share that computer with anyone else, you can process your email locally on your computer. Common programs used for this purpose are Eudora Pro, Mozilla, Netscape Communicator, Microsoft Outlook or Outlook Express, (Outlook and Outlook Express are not recommended) and MacOS X Mail. These programs automatically connect to pangea (or other configured mail server) to download/upload messages using the POP or IMAP protocol. The actual display, sorting, saving, and composing of messages is done locally on your Macintosh or PC.

Macintosh or PC based mail readers are not appropriate for shared machines, as they generally cannot guarantee the privacy of the email for multiple users.

What are POP and IMAP, and how do I choose which one to use?

POP stands for Post Office Protocol and was the original method for personal computer email programs to communicate with and download mail from a server such as pangea. POP is designed to download your mail from the server and save it locally on your personal computer. In its simplest form, POP treats the mail server as simply a drop-off location for new messages, but stores and processes all messages locally on your computer.

IMAP (Internet Message Access Protocol) was designed to overcome the fundamental limitation of POP: because saved mail is stored on your personal computer, you cannot get to any of that saved mail unless you have that computer with you. In the IMAP protocol, all your mail, new and old, is generally stored on the server. You can read it from any computer that has a program that supports IMAP. Computers in both your office and home, for example, can see all new and old email.

Advantages and disadvantages of POP:

  • You generally have more disk space available on your own computer to store old mail than you are allowed to use on the server, so you don't have to worry about constantly cleaning up old mail to keep the system manager happy or avoid lost mail because you exceeded a quota.

  • If you use a laptop, you always have all your saved email with you, even if you are not connected to the network. Unfortunately, this also means that anyone else who can get into your laptop can see all your saved email.

  • In normal use, as soon as your program downloads your new messages from the server, they are deleted from the server. Therefore, you cannot see them from another computer (such as a home computer), or use pine or webmail when traveling.

  • You can use POP and still have access to recent email from another computer or program by correctly using the leave mail on server setting in your POP email client. Then other computers or programs can see your recent messages (but not your old messages saved in folders). If you do this, you must put a reasonable time limit for saving recent messages on the server after they have been downloaded, such as 7 days. Otherwise, you will rapidly exhaust your available "INBOX" space on the server and make your POP connections run much slower, as the server will have to sort through all your old saved messages every time you check for new messages.

    Some people are confused by this setting. They think that their new messages will be erased after the time limit if they don't check email during that time. This is not true. New messages that have not yet been downloaded by a POP client will never expire or be erased automatically. The time limit on the "leave mail on server" setting only applies once the mail has been downloaded by that POP client. This starts a timer for how long those downloaded messages can stay on the server in order to be downloaded by other computers or programs.

  • POP is inherently inefficient if you leave many messages in your INBOX. Using the POP protocol, your computer connects just long enough to read through your INBOX looking for new messages and delete old ones it has already downloaded (unless you specify the "leave mail on server" function). The POP service on pangea makes a complete working copy of your INBOX on the disk to do these functions. If you are leaving many messages in your INBOX, and checking email often, each check generates a lot of disk activity which slows down both your access and the entire system.

Advantages and disadvantages of IMAP:

  • The main advantage of IMAP is that you can access both your new messages and folders of saved email from multiple computers and programs because they are all stored on the server. This also means that your email messages are protected by the backup systems on the server that guard against accidental data loss. For example, pangea uses both duplicate disk drives and backup tapes to protect files. And if someone breaks into your local computer, he cannot see your saved email messages because they are not stored there.

  • The IMAP server on pangea interoperates with the pine email program and pangea's webmail interface. If you use IMAP with your personal computer mail program (such as Eudora), then you can also access the same email and saved folders by logging into pangea and running pine or by connecting your web browser to pangea's webmail interface. This is useful when you need to check your email from a computer that does not have your normal program installed (while traveling, for instance).

  • If you use IMAP and store your saved email on the server, you have an obligation to delete old email that you don't need, or you will quickly fill up the disks on the server. You can ameliorate this problem by using IMAP in a "hybrid" mode. Most email clients that use IMAP also let you create local mail folders that are stored only on your local computer disk, not on the server. Using this feature, you can drag folders of old mail from the server down to your primary computer, leaving only your more current messages on the server disks.

  • With IMAP, you need a network connection to see any of your new or saved mail, since it is all on the server. You can mitigate this for old mail by moving or copying it to local disk folders.

  • IMAP is inherently more efficient than POP if you have many messages in your INBOX. IMAP updates your INBOX directly, rather than making a separate working copy on the disk. It maintains a connection to your computer as long as you are reading, moving, or deleting messages. Therefore, it doesn't have to constantly copy your INBOX and read that copy to get a list of messages, as POP does. Pine and webmail operate the same way, and thus are also more efficient than POP. The IMAP service on pangea will disconnect your computer after 30 minutes of total inactivity (no IMAP commands at all received).

What are Kerberos and SSL, and how do I choose which one to use?

When your email program connects to pangea to get your messages, it must authenticate to the server, meaning that it must prove who you are, so the server will give it access to your email. There are three possible methods of authentication: Kerberos, SSL, and plain-text passwords.

Plain-text passwords should not be used for authentication, because your password is simply sent over the network in a clear text form that can be easily captured by a hacker. Pangea still permits plain-text authentication for some unusual circumstances, but that will eventually be discontinued. Plain-text authentication uses your pangea account name and pangea local password.

Kerberos and SSL are the recommended authentication methods because they both encrypt your password before it is sent on the network. All configuration instructions (below) are for one of these two encrypted connection methods. Each has some specific advantages.

First of all, remember that if you are using pangea as your email server, connecting with Kerberos uses your SUNet ID and password, but connecting with SSL uses your pangea local account name and local password. Although your pangea account name is generally the same as your SUNet ID name, the passwords should normally be different. Be sure to use the correct one!

To use Kerberos, you must install the MacLeland or PCLeland authentication agent on your computer (obtained from the Essential Stanford Software web site). The design of Kerberos then allows you to login to this agent once per day. The agent keeps an authentication credential (called a "ticket") in memory that normally lasts about 10 hours (you can change this time in the program), which it will supply to the server every time your email program checks for new messages. This way, you don't have to keep typing your password over and over nor do you need to store it on your computer's hard disk.

With SSL, you either have to type your password every time your program checks for new messages, or you have to store it on the computer's hard disk. Typing your password every 15 minutes is annoying. But storing your password on the computer is not a recommended security practice. Anyone with physical or network access to your computer can then potentially get into your email or even discover your password.

SSL encrypts both your password and all your messages as they are downloaded or sent. Kerberos only encrypts your password. If you are worried about someone intercepting the content of your email on the network, SSL appears to be better. But don't forget, this encryption is only between your computer and the server, both of which are generally on the fairly secure Stanford network. Your email messages are not encrypted as they are forwarded to and from other mail servers. For true security, you need to encrypt the mail message yourself before sending it, using a program such as PGP.

SSL will generally not work correctly for pangea email accounts if you are using a laptop configured to send mail through Stanford's authenticated SMTP server because you take that laptop traveling. See detailed instructions below.

Configuring your POP or IMAP client program.

You can get detailed instructions, including screen-shots, for configuring email programs for both POP and IMAP access on the ITSS Configuring Your Email Program web site. These configuration instructions are specifically for using the central server. Configuration for the pangea server is the same except for these important differences:

  • The basic settings for pangea for all email clients are:

    Incoming mail server pangea.stanford.edu
    Outgoing mail server (SMTP) pangea.stanford.edu
    or
    smtp.stanford.edu
    or
    smtp-roam.stanford.edu
    (see discussion below)
    Automatic email check interval 10 minutes or longer
    Kerberos version (if used) IV
    POP server port for Kerberos 1109
    POP server port for SSL 995 (normal default)
    IMAP server port for Kerberos 143 (normal default)
    IMAP server port for SSL 993 (normal default)

  • Wherever the ITSS instructions tell you to set your mail server to yoursunetid.pobox.stanford.edu, use pangea.stanford.edu instead. Do not include your SUNet ID as part of the server address when using pangea.

  • Wherever the ITSS instructions tell you to make proxy settings in MacLeland or PCLeland, they say to leave the mail server field blank. Instead, set it to pangea.stanford.edu.

  • The ITSS instructions recommend that you set your email program to check for new messages at intervals of 15 minutes or longer. On pangea, this is not just a recommendation. You are required to use a check interval of at least 10 minutes; 15 minutes or longer is preferable. Frequent checking imposes significant loads on pangea that slow down the system response for everyone. You will be notified by the pangea system manager if your email program is checking for new messages too frequently (more often than once every 10 minutes). Your access to email on pangea may be suspended if you insist on checking too frequently.

  • You can use smtp.stanford.edu as your SMTP (outgoing) mail server as specified in the ITSS instructions. If your computer is on-campus and most of your outgoing mail is to other people on pangea, use pangea.stanford.edu as the outgoing mail server for faster service. If your computer is off-campus (or travels between on-campus and off-campus networks), you should use the authenticated "smtp-roam" server described in the ITSS instructions with the kerberos authentication method. The SSL authentication method will only work with smtp-roam if your pangea login name is the same as your SUNet ID login name, and you set your pangea local password to be identical to your SUNet ID password, which is not recommended for security reasons.

  • When configuring Eudora Pro version 6.x to use POP with kerberos on pangea, there are important differences from the central server instructions. Basically, the central servers are using Kerberos version V with an SSL layer, but pangea is still using plain Kerberos version IV:

    • Eudora Pro 6.x for Macintosh using POP with Kerberos to pangea
      1. In the Kerberos settings, do not check Use Kerberos V/GSSAPI for POP3. The central servers require this setting, but pangea will not accept the connection if this setting is checked. In addition, make sure the Kerberos POP3 port is set to 1109, the Realm is set to IR.STANFORD.EDU, the Service Name: is set to pop, and the Service format: is set to ^0.^3@^2.
      2. In the SSL settings, in the SSL for POP drop-down menu, select Optional (TLS). Do not select Required, Alternate Port which is only used by the central servers.

    • Eudora Pro 6.x for Windows PC using POP with Kerberos to pangea
      1. In the Checking Mail settings, locate the drop-down menu under the header Secure Sockets When Receiving. Select If Available, STARTTLS. Do not select Required, Alternate Port, which is used only for the central servers.
      2. In the Kerberos settings, click the ON button for the Kerberos 4 (POP only) setting. The central servers want this setting to be off, but it must be on for pangea. In addition, make sure the Kerberos POP3 port is set to 1109, the Realm is set to IR.STANFORD.EDU, the Service Name: is set to pop, and the Service format: is set to %1.%4@%3.

  • When configuring Mac OS X Mail to use POP with Kerberos, you must make these three changes in the Advanced tab of the account preferences:
    1. Use 1109 as the port number. Do not use 995 as specified by ITSS - that is only for the central campus mail servers.
    2. Do not check the Use SSL checkbox - that is only for the central campus mail servers.
    3. From the Authentication drop-down menu, select the Kerberized POP (KPOP) option. Do not select "Kerberos Version 5 (GSSAPI)", as specified by ITSS - that is only for the central campus mail servers.

Eudora Pro

Eudora Pro is the only personal computer email program that is recommended on campus. Eudora Pro has been site-licensed by Stanford and is available for download from campus servers. Please note the special configuration settings needed to use Eudora Pro with pangea rather than the central campus servers.

Other programs, such as Mozilla, Netscape and Outlook

Other PC or Macintosh email client programs, such as Mozilla, Netscape Communicator and Outlook may not natively support kerberos or SSL authentication and instead may just try to send your password over the network in plain text. With the latest versions of the MacLeland or PCLeland kerberos program, however, you can "trick" these other email programs into using kerberos authentication. See the MacLeland or PCLeland instructions on the web, or use the built-in help that comes with those programs.

Alternatively, pangea accepts POP or IMAP connections from many of these other PC or Macintosh email programs using the encrypted SSL protocol. For some clients, this is easier to configure than kerberos.

Multiple users on one account

Pangea accounts can also be configured to allow a professor's secretary to access his/her email via kerberos connection from personal computer mail programs. This does not work with SSL connections. This special kerberos configuration allows the secretary to use his/her own SUNet ID and password to access the professor's email. The professor does not disclose his/her password to the secretary, which is a violation of Stanford's computing policies and inherently insecure. Contact the pangea system manager to authorize such email sharing between two accounts.

Accessing email from off-campus

If your personal computer is not located on the Stanford campus, and you use an email program on that computer such as Eudora Pro, Netscape Communicator or Outlook that is configured to use pangea as the mail server, you may have problems sending email. Pangea must restrict email forwarding for non-Stanford computers to limit the abuse caused by unsolicited spam email. Read the detailed note that describes this problem and how to fix it.

 


Comments?

Stanford University    |